Monday 10th December 2018

An ‘unknown third party’ has accessed the backup files of data collection firm Typeform

The data collection firm identified the breach on 27th June and patched the vulnerability 30 minutes later. The data accessed by the attacker from Typeform's backup file was collected before 3rd May.
Jason Smith
by on 30th June 2018

An “unknown third party” has accessed the backup files of data collection firm Typeform, according to an announcement posted on the organization’s website.

Typeform, which provides tools to help webmasters collect data from their visitors, claims it identified the breach on 27th June 2018 at 14:00 CET and patched the vulnerability 30 minutes later.

The backup files were for data collected before 3rd May 2018 and the attacker grabbed the files after gaining access to Typeform’s servers.

It’s unclear how many records have been accessed but Typeform has referred to the backup as a “partial backup.”

As it’s a backup it could span many days, weeks, months or years of data. Moreover, due to the nature of Typeform’s business model – collecting user data – the haul could be substantial.

It claims that data collected since 3rd May is “safe” however it recommends its customers contact form respondents to inform them of the data breach.

On its FAQ page it has provided customers with a template email they can send to subscribers. The email notes, “If your name and email was downloaded by the attacker, then we recommend that you watch out for potential phishing scams, or spam emails.”

Typeform claims that all subscription payment information, authentication data and payment details collected via its Stripe integration is safe.

While it has informed it users on what data is safe, less clear is the nature of the data that has been compromised.

As the data collection tools provided by Typeform are often used for surveys and lead generation, or as contact forms, the data accessed by the “unknown third party” could consist of users’ names, email addresses, home addresses and telephone numbers.

On why it didn’t notify customers sooner, Typeform claims it wanted to ensure “the vulnerability was resolved to prevent another attack.”

It also states it has brought in forensic security experts and setup new measures to minimize the risk of another data breach.

It states on its FAQ page:

“As a data collection company, maintaining the security and privacy of our customers’ data is our top priority. We will continue to take significant measures to prevent this type of situation from happening in the future, including a full-scale review of our security.”